Dexter POS Malware Returns to Target Holiday Shoppers

Dexter, which was first documented by Seculert about a year ago, is a Windows-based malware used to steal credit card data from POS systems

According to Arbor Networks, the Stardust variant, Millenium (note spelling) and two samples of the Revelation variant (which have the capability to use FTP to exfiltrate data) were discovered in early November 2013 to be active on two server hosts.

Dexter, which was first documented by Seculert about a year ago, is a Windows-based malware used to steal credit card data from POS systems, and it appears to be on a seasonal cycle.

“The exact method of compromise is not currently known, however POS systems suffer from the same security challenges that any other Windows-based deployment does,” Arbor said in an analysis. “Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a POS machine), misuse, social engineering and physical access are likely candidates for infection.”

Arbor also said that smaller businesses are likely an easier target due to reduced security. “While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments,” it noted.

The good news is that Dexter is easy to deal with: host security measures are ideally suited to detect Dexter at the early stages of an infection or even pre-infection.

“Antivirus applications show reasonable detection capabilities for the malware analyzed herein, although the actual alert names vary wildly – a common, yet unfortunate situation that gives defenders limited insight into the nature of the threats they face,” said Arbor. “Thankfully, host and network indicators for these campaigns are fairly distinct.”

To prevent an issue to begin with, there are several steps that retailers can take. The firm recommends that network hardening should include extensive restrictions on incoming connections (such as vendor support) to remote desktop systems, and wireless networks in particular should be kept far away from the POS machines. In addition to these common-sense steps, the OS and any third-party applications should be patched and the system should be hardened to include technologies such as Microsoft’s EMET when appropriate.

The infections are ongoing, but Arbor has informed law enforcement and vendors, it said.

“Malicious actors will continue to attack PoS systems and we can expect to see more malware enter into this space over time. More complex malware will enter into the picture as defenses increase. It is only a matter of time before evolution in tactics takes place, therefore network defenders need to be well prepared to protect POS and other financially sensitive systems that will continue to be a target for financially motivated threat actors.”